Everest Backup < 2.2.5 - Admin+ Arbitrary File Upload

Description The plugin does not properly validate backup files to be uploaded, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite setup)

PoC

1. Go to the plugin setting and in the “Restore” section upload the backup file by the “Select File” button(.ebwp format). Select an a file on your computer with the .ebwp extension. It must have some contents to pass the plugins validation check. As a PoC, add `` 2. Capture the HTTP request and in “Content-Disposition:” change the file extension .php. 3. Check the response of the HTTP request and if the upload was successful the status code will be “200” and in the body, you can see the path of your file. 4. Open the file and run the code, i.e cmd.php?cmd=ls open the file and run your code. In this example, you will get a directory listing.